2025Activity reportProject-Team​​​‌CARAMBA

6.1.1 Belenios‌​‌

• Name:
  Belenios - Verifiable​​ online voting system
• Keyword:​​​‌
  E-voting
• Functional Description:

  Belenios‌ is an open-source online‌​‌ voting system that provides​​ vote confidentiality and verifiability.​​​‌ End-to-end verifiability relies on‌ the fact that the‌​‌ ballot box is public​​ (voters can check that​​​‌ their ballots have been‌ received) and on the‌​‌ fact that the tally​​ is publicly verifiable (anyone​​​‌ can recount the votes).‌ Vote confidentiality relies on‌​‌ the encryption of the​​ votes and the distribution​​​‌ of the decryption key‌ (no one knows the‌​‌ full secret key).

  Belenios​​ supports various kind of​​​‌ elections. In the standard‌ mode, Belenios supports simple‌​‌ elections where voters simply​​ select one or more​​​‌ candidates. It also supports‌ arbitrary counting functions at‌​‌ the cost of a​​ slightly more complex tally​​​‌ procedure for the authorities.‌ For example, Belenios supports‌​‌ Condorcet, STV, and Majority​​ Judgement, where voters rank​​​‌ candidates and grade them.‌

  Belenios is available in‌​‌ several languages for the​​ voters as well as​​​‌ the administrators of an‌ election.

• Release Contributions:

  Belenios‌​‌ 3.1 mostly includes important​​ fixes after the deployment​​​‌ of our new administrator‌ interface.

  It also includes‌​‌ some security enhancements. Some​​ of them (missing checks​​​‌ from the auditors) follow‌ remarks from Thomas Haines‌​‌ and Jarrod Rose. Others​​ include use of authenticated​​​‌ encryption AES-GCM instead of‌ AES-CCM and reduced usage‌​‌ of the cryptographic library​​ SJCL.

• News of the​​​‌ Year:

  In 2025, our‌ platform was used to‌​‌ run about 1500 elections,​​ with about 200,000 registered​​​‌ voters and 60,000 ballots‌ counted.

  Belenios 3.1 mostly‌​‌ includes important fixes after​​ the deployment of our​​​‌ new administrator interface. It‌ also includes some security‌​‌ enhancements. Some of them​​ follow remarks from Thomas​​​‌ Haines and Jarrod Rose.‌ Others (eg use of‌​‌ AES-GCM instead of AES-CCM,​​ reduced usage of SJCL)​​​‌ have been suggested after‌ the CSPN evaluation, unfortunately‌​‌ not successful for Belenios.​​

• URL:
  https://­www.­belenios.­org/
• Contact:
  Stéphane​​​‌ Glondu
• Participants:
  Pierrick Gaudry,‌ Stéphane Glondu, Véronique Cortier‌​‌
• Partners:
  CNRS, Inria

6.1.2​​ CADO-NFS

• Name:
  Crible Algébrique:​​​‌ Distribution, Optimisation - Number‌ Field Sieve
• Keywords:
  Cryptography,‌​‌ Number theory
• Functional Description:​​
  Cado-NFS is a complete​​​‌ implementation in C/C++ of‌ the Number Field Sieve‌​‌ (NFS) algorithm for factoring​​ integers and computing discrete​​​‌ logarithms in finite fields.‌ It consists in various‌​‌ programs corresponding to all​​ the phases of the​​​‌ algorithm, and a general‌ script that runs them,‌​‌ possibly in parallel over​​ a network of computers.​​​‌
• News of the Year:‌

  In 2025, CADO-NFS included‌​‌ several long-overdue code base​​ changes. Those are mostly​​​‌ intended to limit the‌ divergence of the multiple‌​‌ code branches that we​​ have. In particular, newly​​​‌ included features include having‌ the option of enabling‌​‌ bucket-sieving for prime powers.​​​‌

  Beginning in 2025, Cado-NFS​ includes experimental adaptations that​‌ also support using the​​ self-initializing quadratic sieve, in​​​‌ particular in the context​ of class group computations​‌ for quadratic fields. This​​ development is still underway​​​‌ in 2026.

• URL:
  https://­cado-nfs.­inria.­fr/​
• Contact:
  Emmanuel Thomé
• Participants:​‌
  Pierrick Gaudry, Emmanuel Thomé,​​ Paul Zimmermann

6.1.3 CORE-MATH​​​‌

• Name:
  CORE-MATH
• Keywords:
  Arithmetic​ code, Floating-point, Correct Rounding​‌
• Functional Description:
  CORE-MATH Mission:​​ provide on-the-shelf open-source mathematical​​​‌ functions with correct rounding​ that can be integrated​‌ into current mathematical libraries​​ (GNU libc, Intel Math​​​‌ Library, AMD Libm, Newlib,​ OpenLibm, Musl, Apple Libm,​‌ llvm-libc, CUDA libm, ROCm)​​
• News of the Year:​​​‌
  In 2025, several single-precision​ functions from CORE-MATH were​‌ integrated into the GNU​​ libc. Also, a full​​​‌ set of functions was​ implemented for half-precision (FP16)​‌ and brain-float (BF16).
• URL:​​
  https://­core-math.­gitlabpages.­inria.­fr/
• Publication:
  hal-03721525
• Contact:​​​‌
  Paul Zimmermann
• Participant:
  Paul​ Zimmermann

6.1.4 GNU MPFR​‌

• Keywords:
  Multiple-Precision, Floating-point, Correct​​ Rounding
• Functional Description:
  GNU​​​‌ MPFR is an efficient​ arbitrary-precision floating-point library with​‌ well-defined semantics (copying the​​ good ideas from the​​​‌ IEEE 754 standard), in​ particular correct rounding in​‌ 5 rounding modes. It​​ provides about 100 mathematical​​​‌ functions, in addition to​ utility functions (assignments, conversions...).​‌ Special data (Not a​​ Number, infinities, signed zeros)​​​‌ are handled like in​ the IEEE 754 standard.​‌ GNU MPFR is based​​ on the mpn and​​​‌ mpz layers of the​ GMP library.
• News of​‌ the Year:
  GNU MPFR​​ received the prize "science​​​‌ ouverte" for open-source research​ tools, category "scientific and​‌ technical". This prize is​​ decerned by the French​​​‌ minister of high schools,​ research and space.
• URL:​‌
  https://­www.­mpfr.­org/
• Publications:
  hal-01394289,​​ hal-01502326, inria-00069930,​​​‌ inria-00070174, inria-00103655,​ inria-00000026
• Contact:
  Vincent Lefèvre​‌
• Participants:
  Paul Zimmermann, Vincent​​ Lefèvre, 2 anonymous participants​​​‌

6.1.5 Riemann theta functions​ in FLINT

• Keywords:
  Numerical​‌ algorithm, Number theory
• Functional​​ Description:
  This FLINT module,​​​‌ called acb_theta, allows the​ user to numerically evaluate​‌ Riemann theta functions in​​ any dimension, with certified​​​‌ error bounds in the​ context of FLINT's interval​‌ arithmetic (ex-Arb). This implementation​​ performs a lot better​​​‌ than other state-of-the-art software​ (SageMath, Magma). Moreover, the​‌ algorithm used is quasi-linear​​ in terms of the​​​‌ required precision. The goal​ of this module is​‌ to encourage the use​​ of numerical computations on​​​‌ Riemann theta functions, in​ particular for applications in​‌ number theory.
• Release Contributions:​​
  FLINT 3.3.0 features a​​​‌ major rewrite of the​ acb_theta module with better​‌ performance (especially in higher​​ dimensions up to 8-10),​​​‌ more compact code, and​ an enriched user interface.​‌ This also fixed a​​ bug which caused the​​​‌ software to output enclosures​ of infinite radius in​‌ some cases. The software's​​ performance is documented in​​​‌ the preprint https://hal.science/hal-05088784v2 .​
• News of the Year:​‌
  FLINT 3.3.0, featuring a​​ major rewrite of the​​​‌ acb_theta module, was released.​
• URL:
  https://­github.­com/­flintlib/­flint/
• Publication:
  hal-05088784​‌
• Contact:
  Jean Kieffer
• Participant:​​
  Jean Kieffer

6.1.6 rrspace​​​‌

• Name:
  Riemann-Roch spaces
• Keyword:​
  Riemann-Roch spaces
• Functional Description:​‌
  The C++/NTL software rrspace​​ implements an algorithm for​​​‌ computing a basis of​ the Riemann-Roch space associated​‌ to a divisor on​​ a curve defined over​​ a finite field. It​​​‌ also implements an algorithm‌ for computing the group‌​‌ law in the Jacobian​​ of such curves. The​​​‌ main algorithm is a‌ variant of Brill-Noether's approach,‌​‌ designed during Aude Le​​ Gluher's Master internship in​​​‌ 2018.
• News of the‌ Year:
  State-of-the-art sub-quadratic methods‌​‌ have been implemented by​​ using the PML library​​​‌ (https://github.com/vneiger/pml) for fast computations‌ with polynomial matrices. The‌​‌ general quality of the​​ code has been significantly​​​‌ improved (CI, unit tests,‌ linting).
• URL:
  https://­gitlab.­inria.­fr/­pspaenle/­rrspace
• Contact:‌​‌
  Pierre Jean Spaenlehauer
• Participant:​​
  Pierre Jean Spaenlehauer

7.1.1 The CORE-MATH project‌

Participants: Paul Zimmermann.‌​‌

The aim of the​​ CORE-MATH project is to​​​‌ provide on-the-shelf open-source mathematical‌ functions with correct rounding‌​‌ that will be integrated​​ into current mathematical libraries​​​‌ (GNU libc, Intel Math‌ Library, AMD Libm, Newlib,‌​‌ OpenLibm, Musl, Apple Libm,​​ llvm-libc, CUDA libm, ROCm).​​​‌ These functions are implemented‌ in the C language‌​‌ and target the three​​ IEEE 754 binary formats​​​‌ (single precision, double precision,‌ quadruple precision), and also‌​‌ the extended double precision​​ (significand of 64 bits).​​​‌ This project is motivated‌ by the fact that‌​‌ current mathematical libraries are​​ far from giving the​​​‌ best possible results, as‌ demonstrated in 35.‌​‌ Together with Nicolas Brisebarre,​​ Guillaume Hanrot and Jean-Michel​​​‌ Muller (AriC project and‌ Cryptolab), we study why‌​‌ correctly-rounded results are important,​​ how they can be​​​‌ obtained and at what‌ cost 20.

In‌​‌ 2025, hard-to-round cases of​​ the tgamma and lgamma​​​‌ functions were computed in‌ double precision, which enabled‌​‌ an efficient implementation of​​ these functions in CORE-MATH.​​​‌ The main result for‌ 2025 was the computation‌​‌ of the hard-to-round cases​​ for the trigonometric functions​​​‌ (sin, cos, tan) in‌ double precision, using a‌​‌ new algorithm and the​​ use of the CRYPTANALYSE​​​‌ cluster (see Section 6.2‌). This result was‌​‌ presented in Lyon in​​ November at the RAIM​​​‌ workshop organized for the‌ retirement of Jean-Michel Muller.‌​‌ This is joint work​​ with Tue Ly (Google),​​​‌ and an article describing‌ the new algorithm will‌​‌ be submitted to the​​ Arith 2026 conference, with​​​‌ Tue Ly and Vincent‌ Lefèvre (Pascaline team, Lyon).‌​‌

Also, a complete set​​ of C23 functions were​​​‌ implemented for half-precision (FP16)‌ and “brain-float” (BF16).

New‌​‌ correctly-rounded single-precision functions from​​​‌ the CORE-MATH project have​ been integrated into the​‌ GNU C library, release​​ 2.42: acospi, asinpi​​​‌, atanpi, cospi​, sinpi, tanpi​‌, atan2pi. Seven​​ double-precision functions should be​​​‌ integrated in GNU libc​ 2.43, which will be​‌ released end of January​​ 2026: acosh, asinh​​​‌, atanh, erf​, erfc, lgamma​‌, tgamma.

7.1.2​​ Computing isomorphisms between superspecial​​​‌ abelian surfaces

Participants: Pierrick​ Gaudry, Julien Soumier​‌, Pierre-Jean Spaenlehauer.​​

Recent advances in isogeny-based​​​‌ post-quantum cryptography have shed​ light on the importance​‌ of algorithms for abelian​​ varieties of dimension $>‌1$ in cryptographic applications.​ Julien Soumier's Ph.D. focuses​‌ on the algorithmic aspects​​ of products of supersingular​​​‌ elliptic curves. In particular,​ we propose in 34​‌ a polynomial-time algorithm (complexity​​ proven under the generalized​​​‌ Riemann hypothesis) to compute​ isomorphisms between such products.​‌ The existence of such​​ isomorphisms is guaranteed by​​​‌ a classical theorem by​ Deligne, Ogus and Shioda,​‌ and our work makes​​ this result effective.

7.1.3​​​‌ Fast evaluation of Riemann​ theta functions

Participants: Jean​‌ Kieffer.

The Riemann​​ theta functions are a​​​‌ family of complex-analytic special​ functions that are intimately​‌ related to the theory​​ of abelian varieties (of​​​‌ any dimension $g$)​ over the complex numbers.​‌ In many algorithms, a​​ crucial step is to​​​‌ numerically evaluate the Riemann​ theta functions at a​‌ given point; often, the​​ result is an algebraic​​​‌ number that one can​ then try to identify​‌ exactly. This typically requires​​ working with very high​​​‌ numerical precision and provably​ correct error bounds.

In​‌ collaboration with Noam D.​​ Elkies, we constructed a​​​‌ new, fast algorithm for​ evaluating Riemann theta functions​‌ in any dimension $\mathrm{g}$. In contrast to​​​‌ previous methods, it is​ not restricted to low​‌ dimensions such as $\mathrm{g}\le 2$, and​​​‌ allows for rigorous error​ bounds. This algorithm is​‌ presented in 33 along​​ with a full complexity​​​‌ proof, experimental timings measured​ from our implementation in​‌ FLINT 3.3.0, and an​​ application to the inverse​​​‌ Galois problem in number​ theory.

7.1.4 Point counting​‌ on abelian surfaces over​​ finite fields

Participants: Ilan​​​‌ Ehrlich, Jean Kieffer​.

Given a genus​‌ 2 curve over a​​ finite field of cryptographic​​​‌ size, it is still​ a computational challenge today​‌ to compute its number​​ of points, a necessary​​​‌ step for classical cryptography​ based on hyperelliptic curves.​‌ While the Schoof–Elkies–Atkin (SEA)​​ algorithm, which solves the​​​‌ problem in the case​ of elliptic curves, has​‌ been known for 30​​ years, its generalization to​​​‌ genus 2 has only​ recently been described in​‌ Jean Kieffer 's Ph.D.​​ thesis 50 and a​​​‌ sizeable amount of work​ remains before its full​‌ implementation.

One key step​​ in this algorithm is​​​‌ to compute isogenies between​ Jacobians of genus 2​‌ curves from modular polynomials.​​ The article presenting how​​​‌ to perform this task​ has been published this​‌ year 23. Implementing​​ this algorithm beyond toy​​​‌ examples remains to be​ done. Similarly, il will​‌ be necessary to re-implement​​ the evaluation of modular​​ polynomials in a clean​​​‌ way using our recent‌ work on the evaluation‌​‌ of Riemann theta functions,​​ as explained in 49​​​‌.

Another aspect of‌ this research is on‌​‌ the theoretical complexity analysis​​ of point counting. Here,​​​‌ a key result is‌ that on average, there‌​‌ exist sufficiently many small-degree​​ isogenies from the Jacobian​​​‌ of our genus 2‌ curve that are defined‌​‌ over the base field.​​ We proved this result​​​‌ in collaboration with Alexandre‌ Benoist in 2024 when‌​‌ the genus 2 curves​​ arise from the reduction​​​‌ of a fixed curve‌ over a number field‌​‌ modulo primes. The associated​​ article was published this​​​‌ year 17. Work‌ continues to adapt this‌​‌ result to another case​​ of interest, when the​​​‌ genus 2 curve is‌ drawn at random over‌​‌ a fixed base field.​​

Finally, Ilan Ehrlich's internship​​​‌ is also related to‌ point counting. His work‌​‌ focuses on modular polynomials​​ (in the genus 1​​​‌ case) with alternative invariants,‌ which can be much‌​‌ smaller than the “classical”​​ modular polynomials that are​​​‌ often used in the‌ SEA algorithm. Surprisingly, a‌​‌ proven explanation of this​​ well-known phenomenon has never​​​‌ appeared in print to‌ the best of our‌​‌ knowledge. While this work​​ is still at a​​​‌ preliminary stage, pursuing similar‌ ideas in genus 2‌​‌ seems a fruitful topic​​ for future work.

7.1.5​​​‌ Isogeny classes of abelian‌ surfaces over number fields‌​‌

Participants: Hugo Nartz,​​ Jean Kieffer, Emmanuel​​​‌ Thomé.

Another use‌ for the fast algorithms‌​‌ to evaluate Riemann theta​​ functions, more geared towards​​​‌ fundamental arithmetic geometry, is‌ to compute isogeny classes.‌​‌ The situation for elliptic​​ curves is well understood,​​​‌ so we consider dimension‌ 2: we fix a‌​‌ number field $K$ and​​ a genus 2 curve​​​‌ $C$ over $K$,‌ and ask to compute‌​‌ the (finite) list of​​ all genus 2 curves​​​‌ $C^{\text{'}}$ over $\mathrm{K‌}$ such that the Jacobians‌​‌ of $C$ and ${\mathrm{C}}^{\text{'}}$ are isogenous. Finding​​​‌ out which shapes of‌ isogeny classes can appear‌​‌ helps our understanding of​​ the classification of Galois​​​‌ representations attached to those‌ curves, a major and‌​‌ difficult topic in number​​ theory.

Hugo Nartz started​​​‌ his Ph.D. on this‌ topic in October 2025,‌​‌ supervised by Emmanuel Thomé​​ and Jean Kieffer .​​​‌ The goals will be‌ to generalize the article‌​‌ 57 of Kieffer and​​ his coauthors, which assumed​​​‌ simplifying hypotheses ($\mathrm{K‌}=\mathbb{Q}$ and no‌​‌ nontrivial endomorphisms). Removing each​​ hypothesis is a substantial​​​‌ challenge which will lead‌ to new mathematical results‌​‌ and software implementations.

7.1.6​​ Formalization of Markovian Decision​​​‌ Processes in Lean

Participants:‌ Pierre-Jean Spaenlehauer.

Pierre-Jean‌​‌ Spaenlehauer and Olivier Buffet​​ (CR Inria, EPI LARSEN)​​​‌ were advisors for Jarod‌ Galbrun's internship (ENS Lyon,‌​‌ L3), who worked on​​ formalizing classical results on​​​‌ Markovian Decision Processes within‌ the proof assistant Lean.‌​‌ Markovian Decision Processes are​​ models which are sufficiently​​​‌ expressive to encode many‌ decision-making situations, while being‌​‌ formalized in a mathematical​​ language which is convenient​​​‌ for formal proofs. The‌ main contribution of Jarod‌​‌ Galbrun's internship is the​​​‌ formalization of a classical​ theorem which states that​‌ Markovian decision processes with​​ finite states, finite possible​​​‌ actions, and finite time​ horizon admit an optimal​‌ solution which is deterministic​​ (i.e., making an optimal​​​‌ decision does not require​ randomness) and Markovian (i.e.,​‌ making an optimal decision​​ only requires information about​​​‌ the present state and​ does not need any​‌ past information). The code​​ is available on the​​​‌ ENS Lyon gitlab server​.

7.2.1 A Note on​​ the use of the​​​‌ Double Boomerang Connectivity Table​ (DBCT) for Spotting Impossibilities​‌

Participants: Xavier Bonnetain,​​ Virginie Lallemand.

This​​​‌ short note examines the​ impossible boomerang distinguisher on​‌ Skinny-128-384 proposed by Zhang,​​ Wang and Tang at​​​‌ ToSC 2024 Issue 2​ and shows that the​‌ use of the Double​​ Boomerang Connectivity Table (DBCT)​​​‌ gave them an incorrect​ distinguisher. We discuss the​‌ limit of the DBCT​​ in general and disprove​​​‌ the specific impossibility claim​ of Zhang and co-authors​‌ by displaying a counter-example.​​ We conclude that the​​​‌ DBCT is a dangerous​ tool that does not​‌ capture the actual probability​​ of a 2-round boomerang.​​​‌

7.2.2 Improved Quantum Linear​ Attacks and Application to​‌ CAST

In 16,​​ we show how to​​​‌ combine Quantum Fourier Transform-based​ linear attacks, that biaises​‌ a distribution of key​​ guesses towards the correct​​​‌ one, and standard quantum​ key distinguishers, that can​‌ tell whether a key​​ guess is correct. We​​​‌ apply this idea to​ Feistel ciphers and exemplify​‌ different attack strategies on​​ LOKI91 before applying our​​​‌ idea on the CAST-128​ and CAST-256 ciphers. We​‌ demonstrate the approach with​​ two kinds of distinguishers,​​​‌ quantum distinguishers based on​ Simon’s algorithm and linear​‌ distinguishers. The resulting attacks​​ outperform the previous Grover-meet-Simon​​​‌ attacks.

7.2.3 A New​ Tool to Find Lightweight​‌ (And, Xor) Implementations of​​ Quadratic Vectorial Boolean Functions​​​‌ up to Dimension 9​

Participants: Marie Bolzer,​‌ Sébastien Duval, Marine​​ Minier.

In this​​​‌ work 18, we​ build a new synthesiser,​‌ a tool that outputs​​ an electronic circuit to​​​‌ implement a given function.​ This tool is specifically​‌ aimed at finding circuits​​ efficient for lightweight protected​​​‌ implementations of cryptographic functions,​ minimising the number of​‌ AND gates in the​​ circuit. It is limited​​​‌ to quadratic functions, but​ gives results far beyond​‌ the state of the​​ art, which could only​​​‌ handle functions with up​ to 5, sometimes 6​‌ input bits, while our​​ tool can handle any​​​‌ quadratic function up to​ 9 bits, giving well-optimised​‌ circuits.

7.2.4 Skyscraper: Fast​​ Hashing on Big Primes​​​‌

Participants: Clémence Bouvier.​

In this work 19​‌, we present the​​ arithmetization-oriented hash function Skyscraper,​​​‌ which is aimed at​ large prime fields and​‌ provides major improvements compared​​ to Reinforced Concrete or​​​‌ Monolith. First, the design​ is exactly the same​‌ for all large primes,​​ which simplifies analysis and​​​‌ deployment. Secondly, it achieves​ a performance comparable to​‌ cryptographic hash standards by​​ using low-degree non-invertible transformations​​​‌ and minimizing modulo reductions.​ Concretely, it hashes two​‌ 256-bit prime field (BLS12-381​​ curve scalar field) elements​​ in 135 nanoseconds, whereas​​​‌ SHA-256 needs 42 nanoseconds‌ on the same machine.‌​‌

7.2.5 Statistical properties of​​ Butterfly-like constructions

Participants: Clémence​​​‌ Bouvier.

In this‌ work 25, we‌​‌ present a classification of​​ Butterfly-like constructions based on​​​‌ their statistical (differential and‌ linear) properties. This work‌​‌ offers new perspectives on​​ the cryptographic potential and​​​‌ limitations of these designs,‌ which were originally introduced‌​‌ over binary fields and​​ are now being explored​​​‌ over prime fields.

7.2.6‌ A Caribbean Directory-based Encryption‌​‌ during the American War​​ of Independence

Participants: Cécile​​​‌ Pierrot, Gaspard Damoiseau-Malraux‌.

This work 29‌​‌ focuses on a corpus​​ of letters located at​​​‌ the Archives Nationales d’OutreMer‌ in Aix-en-Provence, France. These‌​‌ late 18th-century letters come​​ from Saint Domingue (now​​​‌ Haiti), a former French‌ colony in the Caribbean‌​‌ Sea of which Bellecombe,​​ the author, was governor.​​​‌ They were written in‌ the context of the‌​‌ American War of Independence,​​ in which France took​​​‌ part on the side‌ of the Americans. We‌​‌ have reconstructed Bellecombe’s correspondence​​ with the Secretary of​​​‌ State for the Navy,‌ in Versailles: the archives‌​‌ contain hundreds of letters​​ in clear and three​​​‌ encrypted letters, including some‌ clear/cipher pages that were‌​‌ our lever for reconstructing​​ part of the key,​​​‌ and 96% of the‌ encrypted letter that was‌​‌ opaque at first. From​​ a cryptanalytical point of​​​‌ view, Bellecombe used a‌ directory-based encryption. The common‌​‌ use of this type​​ of cipher in the​​​‌ 17th and 18th-century European‌ countries raises the question‌​‌ of the method to​​ be used (then as​​​‌ now!) to decode such‌ messages.

7.2.7 Decryption of‌​‌ an Encrypted Telegram from​​ governor Hercílio Luz to​​​‌ Brazilian President Floriano Peixoto‌ (1894)

Participants: Cécile Pierrot‌​‌.

Floriano Peixoto was​​ a Brazilian military officer​​​‌ and politician of the‌ XIX° century. He was‌​‌ the second president of​​ the Republic of Brazil​​​‌ following the abolition of‌ the monarchy in 1889.‌​‌ He governed from 23​​ November 1891 to 15​​​‌ November 1894 : the‌ telegram we decrypted in‌​‌ 36 is dated 3​​ September 1894, so towards​​​‌ the end of his‌ term of office. The‌​‌ sender is Hercílio Luz,​​ governor of the Brazilian​​​‌ state of Santa Catarina‌ from 1894 to 1898.‌​‌ The content of the​​ message deals with the​​​‌ articulations of an election‌ that took place in‌​‌ 1894.

7.2.8 Déchiffrement d'une​​ lettre de François I​​​‌er à Christophe Richer‌ (21 janvier 1547)

Participants:‌​‌ Camille Desenclos, Paul​​ Zimmermann.

In 38​​​‌, with the help‌ of a young intern,‌​‌ Ioana Ionescu, we deciphered​​ an isolated letter from​​​‌ François Ier to‌ Christophe Richer kept in‌​‌ the Archives of the​​ Ministry of Foreign Affairs,​​​‌ France.

7.3.1 Design​​ of new voting protocols​​​‌

Participants: Pierrick Gaudry,‌ Léo Louistisserand.

The‌​‌ article 21 has been​​ published. This work introduces​​​‌ our proposal of a‌ new protocol called Vote&Check,‌​‌ a postal voting scheme.​​

In 32, together​​​‌ with colleagues from the‌ PESTO team and from‌​‌ the Swiss Post company,​​​‌ we proposed a new​ protocol suitable for the​‌ Swiss context.

For a​​ long time, the Federal​​​‌ Chancellery was accepting to​ trust an offline component​‌ to set up data​​ and in particular the​​​‌ voting material. Today, the​ Chancellery aims at removing​‌ this strong trust assumption.​​ Our proposition abides by​​​‌ this new will. At​ the heart of our​‌ system lies a setup​​ phase where several parties​​​‌ create the voting material​ in a distributed way,​‌ while allowing one of​​ the parties to remain​​​‌ offline during the voting​ phase. A complication arises​‌ from the fact that​​ the voting material has​​​‌ to be printed, sent​ by postal mail, and​‌ then used by the​​ voter to perform several​​​‌ operations that are critical​ for security. Usability constraints​‌ are taken into account​​ in our design, both​​​‌ in terms of computation​ complexity (linear setup and​‌ tally) and in terms​​ of user experience (we​​​‌ ask the voter to​ type a high-entropy string​‌ only once). The security​​ of our scheme is​​​‌ proved in a symbolic​ setting, using the ProVerif​‌ prover, for various corruption​​ scenarios, demonstrating that it​​​‌ fulfills the Chancellery's requirements​ and sometimes goes slightly​‌ beyond them.

7.3.2 Attacks​​ on the CHVote e-voting​​​‌ protocol

Participants: Pierrick Gaudry​.

CHVote is one​‌ of the two main​​ electronic voting systems developed​​​‌ in the context of​ political elections in Switzerland,​‌ where the regulation requires​​ a specific setting and​​​‌ specific trust assumptions. In​ 27, we show​‌ that actually, CHVote fails​​ to achieve vote secrecy​​​‌ and individual verifiability (here,​ recorded-as-intended), as soon as​‌ one of the online​​ components is dishonest, contradicting​​​‌ the security claims of​ CHVote. In total, we​‌ found 9 attacks or​​ variants against CHVote, 2​​​‌ of them being based​ on a bug in​‌ the reference implementation. We​​ confirmed our findings through​​​‌ a proof-of-concept implementation of​ our attacks.

8.1.1 Collaboration​ with Google on correct​‌ rounding

Participants: Paul Zimmermann​​.

Although this is​​​‌ not formalized by a​ contract, we maintain regular​‌ contacts (via monthly video​​ conferences) with the LLVM/libc​​​‌ group (Google), in particular​ Tue Ly, discussing our​‌ different approaches for correct​​ rounding of mathematical functions​​​‌ between CORE-MATH and LLVM/libc.​

8.1.2 Training on floating-point​‌ algorithms

Participants: Paul Zimmermann​​.

In December, a​​​‌ training on floating-point algorithms​ was performed for engineers​‌ from AMD, at their​​ request. The training consisted​​​‌ of 5 sessions (by​ visio conference) of 2​‌ hours each, with 30-70​​ remote participants. The material​​​‌ is available online.​

8.1.3 Consulting with Swiss​‌ Post

Participants: Pierrick Gaudry​​.

Together with the​​​‌ PESTO team, we have​ a long-term consulting activity​‌ with Swiss Post on​​ the e-voting topic. In​​​‌ 2025 we have been​ working on the design​‌ of the next generation​​ of their e-voting protocol.​​​‌ This is a long-term​ process, that involves interaction​‌ with the Federal Chancellery​​ who coordinates the certification​​​‌ of the product for​ use in political elections.​‌ The protocol was advanced​​ enough to be written​​ as an academic-style preprint​​​‌ 32.

8.1.4 Consulting‌ with the BSI

Participants:‌​‌ Pierrick Gaudry.

The​​ Bundesamt für Sicherheit in​​​‌ der Informationstechnik (BSI) has‌ issued a call for‌​‌ a report on the​​ mechanisms that are used​​​‌ or that could be‌ used to ensure end-to-end‌​‌ verifiability in electronic voting.​​ The CNRS was a​​​‌ partner of the consortium‌ that answered the call.‌​‌ More specifically, we participated​​ in the analysis of​​​‌ the efficiency criteria, to‌ be used for evaluating‌​‌ the mechanisms.

9.2.1 Visits of international‌​‌ scientists

9.3.1 PEPR Quantique,‌ project PQ-TLS

Participants: Xavier‌​‌ Bonnetain, Pierre-Jean Spaenlehauer​​.

• Program: PEPR Quantique​​​‌
• Project acronym: PQ-TLS
• Duration:‌ 01/2022 - 12/2028
• Coordinator:‌​‌ Université de Rennes 1​​
• Other partners: Université de​​​‌ Limoges, Université de Rouen,‌ Université de Bordeaux, Université‌​‌ de Saint-Quentin-en Yvelines, Université​​ de Saint-Étienne, ENS de​​​‌ Lyon, Inria (GRACE, CARAMBA,‌ COSMIQ, PROSECCO), CEA (Grenoble‌​‌ LETI), CNRS Labstic (Lorient).​​

Since 1996 and the​​​‌ discovery of Shor's algorithm,‌ new quantum threats emerged‌​‌ against classical security protocols​​ and cryptographic primitives. The​​​‌ objective of the PQ-TLS‌ project is to design‌​‌ a quantum-safe version of​​ the security layer of​​​‌ web protocols, via the‌ integration of post-quantum cryptographic‌​‌ primitives and the quantum​​ cryptanalysis of existing systems.​​​‌ The project also aims‌ at developing new techniques‌​‌ to compare existing primitives​​ from the quantum viewpoint​​​‌ and at promoting arising‌ solutions from academic and‌​‌ industrial research. The goal​​ is to develop a​​​‌ large toolbox whose targets‌ range from the mathematical‌​‌ foundations of post-quantum cryptography​​ to its concrete implementations.​​​‌

Xavier Bonnetain is the‌ national coordinator of the‌​‌ work package 5 "Quantum​​ cryptanalysis".

Pierre-Jean Spaenlehauer is​​​‌ the local scientific coordinator‌ for the CARAMBA team.‌​‌

9.3.2 PEPR Cybersécurité, project​​ CRYPTANALYSE

Participants: Xavier Bonnetain​​​‌, Clémence Bouvier,‌ Sébastien Duval, Pierrick‌​‌ Gaudry, Virginie Lallemand​​, Marine Minier,​​​‌ Cécile Pierrot, Emmanuel‌ Thomé.

• Program: PEPR‌​‌ Cybersécurité
• Duration: 10/2023 -​​ 09/2028
• Coordinator: Inria
• Other​​​‌ partners: Inria (CARAMBA, COSMIQ,‌ CANARI/LFANT, CAPSULE), CNRS (Loria,‌​‌ Irisa, IRIF, LMV, IMB,​​ LIP6, LJK), Université de​​​‌ Rennes, Université de Montpellier,‌ Université Paris Cité, Université‌​‌ de Picardie Jules Verne,​​ Université de Versailles–Saint-Quentin en​​​‌ Yvelines, Université de Bordeaux,‌ Université Grenoble Alpes, Sorbonne‌​‌ Université.

Within the context​​ of the national PEPR​​​‌ program “cybersecurité” (launched in‌ 2021), a call for‌​‌ proposals was published in​​ July 2023 to complement​​​‌ the set of topics‌ with three new projects,‌​‌ among which one on​​​‌ the classical cryptanalysis of​ cryptographic primitives. We coordinated​‌ the nationwide answer to​​ this call for proposals,​​​‌ submitted in September 2022,​ and the project was​‌ accepted on March 27,​​ 2023. The project started​​​‌ on October 1, 2023.​

Emmanuel Thomé and Gaëtan​‌ Leurent (Inria COSMIQ, Paris)​​ lead the project. Several​​​‌ teams are involved. The​ project is divided into​‌ eight work packages, and​​ the CARAMBA team is​​​‌ involved in most of​ them.

9.3.3 Projet ANR​‌ KLEPTOMANIAC

Participants: Pierrick Gaudry​​, Cécile Pierrot,​​​‌ Pierre-Jean Spaenlehauer, Emmanuel​ Thomé, Paul Zimmermann​‌.

• Program: ANR AAPG​​
• Project acronym: KLEPTOMANIAC
• Duration:​​​‌ 01/2022 - 12/2026
• Coordinator:​ Inria Nancy
• Other partners:​‌ ANSSI, LIP6

The RSA​​ cryptosystem and the Diffie-Hellman​​​‌ key exchange protocol in​ finite fields were the​‌ first invented primitives of​​ public-key cryptography.

It is​​​‌ hard to estimate the​ time and resources that​‌ are needed to factor​​ an integer, and thereby​​​‌ how hard it is​ to break RSA. All​‌ regulatory bodies recommend that​​ people either avoid RSA,​​​‌ or prefer large RSA​ key sizes for safety,​‌ above 2048 bits at​​ least. In environments where​​​‌ computing power is plentiful,​ this recommendation is most​‌ often followed. Yet, it​​ is a fact that​​​‌ we do rely on​ cryptography that uses smaller​‌ key sizes.

The goal​​ of this project was​​​‌ to employ our expertise​ to provide solid hardness​‌ assessments for key sizes​​ that are relevant today,​​​‌ and for which accuracy​ in the prediction is​‌ important. Our targets for​​ accurate assessment were RSA-1024​​​‌ and DH-1024 as well​ as specific discrete logarithm-related​‌ problems that arise in​​ the blockchain context, together​​​‌ with the development of​ simulation software to enable​‌ more accurate estimates.

9.3.4​​ ANR OREO

Participants: Xavier​​​‌ Bonnetain, Sébastien Duval​, Virginie Lallemand,​‌ Marine Minier.

• Program:​​ ANR
• Project acronym: OREO​​​‌
• Duration: 01/2023 - 12/2026​
• Coordinator: Irisa (Rennes).
• Other​‌ partners: LORIA (Nancy), LMV​​ (Versailles).

This ANR project​​​‌ focuses on the use​ of Mixed Integer Linear​‌ Programming (MILP) in symmetric-key​​ cryptography, a direction that​​​‌ enjoyed rapid recognition in​ the symmetric-key community following​‌ the article by Mouha​​ et al.  54.​​​‌

MILP models can be​ used both to design​‌ and attack ciphers, but​​ the technique suffers from​​​‌ several limitations, some of​ which we plan to​‌ address in this project.​​ In particular, we aim​​​‌ to explore how to​ handle more complex cryptographic​‌ problems than what is​​ done so far (yet​​​‌ ensuring a reasonable solving​ time). This might imply​‌ finding how to improve​​ the modelization techniques or​​​‌ considering different approaches like​ first solving approximated models.​‌

9.3.5 Action exploratoire Back​​ In Time

Participants: Gaspard​​​‌ Damoiseau-Malraux, Camille Desenclos​, Michaël Mera,​‌ Cécile Pierrot, Paul​​ Zimmermann.

• Subject: Historical​​​‌ Cryptography
• Duration: October 2024​ - 2026
• Coordinator: Cécile​‌ Pierrot
• Other partners: Inria​​ Paris (ALMANACH), Université de​​​‌ Picardie.

BACK IN TIME​ brings together the expertise​‌ of researchers in three​​ fields — artificial intelligence​​​‌ (ALMANACH team), cryptography (CARAMBA​ team) and history (Camille​‌ Desenclos) — to decipher​​ encrypted historical documents. Given​​ the sheer volume of​​​‌ data involved, our aim‌ is to develop initial‌​‌ software to automate certain​​ ancient decipherments.

9.4.1 Answer‌ to CNIL consultation on‌​‌ e-voting

Participants: Pierrick Gaudry​​.

Together with members​​​‌ of the PESTO team,‌ we wrote a detailed‌​‌ answer to the consultation​​ organized by the CNIL​​​‌ on their project of‌ updating their recommendations for‌​‌ the usage of electronic​​ voting in France. This​​​‌ document was sent to‌ the CNIL and also‌​‌ put online 37.​​

10.1.1 Scientific‌ events: organisation

• Camille Desenclos‌​‌ has co-organized two workshops​​ (journées d’études) with Pauline​​​‌ Ferrier-Viaud (Université d’Artois) in‌ the context of the‌​‌ research project « Agir​​ et pouvoir(s) : les​​​‌ marges de manœuvre des‌ serviteurs de l’État à‌​‌ l’époque moderne ». The​​ first workshop (« Définir​​​‌ le service : les‌ mots des historiens »‌​‌ was held on May​​ 22nd in Arras ;​​​‌ the second one («‌ Définir le service :‌​‌ les mots des acteurs​​ ») took place on​​​‌ November 19th in Amiens.‌

10.1.2 Scientific​​ events: selection

10.1.3 Journal

10.1.4​‌ Invited talks

• Xavier Bonnetain​​ gave an invited talk​​​‌ at the IEMS-KMS International​ Workshop on Cryptography (South​‌ Korea).
• Xavier Bonnetain gave​​ an invited lecture at​​​‌ the European Quantum Technology​ Summer School 2025 (Germany).​‌
• Xavier Bonnetain gave an​​ invited talk at the​​​‌ Dagstulh Seminar 25431 "Quantum​ Cryptanalysis" (Germany).
• Clémence Bouvier​‌ gave an invited talk​​ at the C2 Seminar​​​‌ (Nancy), January 2025.
• Clémence​ Bouvier gave an invited​‌ lecture at the Winter​​ School of PEPR Cybersécurité​​​‌, Autrans, January 2025.​
• Clémence Bouvier gave an​‌ invited talk at the​​ ALPSY Workshop, Obergurgl, Austria,​​​‌ January 2025.
• Clémence Bouvier​ gave an invited talk​‌ at the APSIA Team​​ seminar (Luxembourg), February 2025.​​​‌
• Clémence Bouvier gave an​ invited lecture at the​‌ AMUSEC Workshop, CIRM,​​ Marseille, March 2025.
• Clémence​​​‌ Bouvier gave an invited​ talk at the Grace​‌ Team seminar (Saclay), March​​ 2025.
• Clémence Bouvier gave​​​‌ an invited talk at​ the WRACH Workshop, Roscoff,​‌ April 2025.
• Clémence Bouvier​​ gave an invited lecture​​​‌ at the SAC Summer​ School, Toronto, Canada,​‌ August 2025.
• Clémence Bouvier​​ gave an invited talk​​​‌ at the Canari Team​ seminar (Bordeaux), September 2025.​‌
• Virginie Lallemand gave an​​ invited talk at the​​​‌ Capsule Team seminar (Rennes),​ February 2025.
• Pierrick Gaudry​‌ gave an invited talk​​ at the Collège de​​​‌ France, Paris, November 2025.​
• Pierre-Jean Spaenlehauer gave an​‌ invited talk at the​​ Polsys Team seminar (Paris),​​ May 2025.
• Camille Desenclos​​​‌ gave an invited talk‌ at Journées Cybersécurité et‌​‌ SHS (GDR Sécurité Informatique​​ / GDR Internet, IA​​​‌ et Société), January 2025.‌
• Camille Desenclos gave an‌​‌ invited talk at the​​ Archives nationales (conférence «​​​‌ Retour aux sources »),‌ April 2025.
• Camille Desenclos‌​‌ gave an invited talk​​ at the seminar Sciences,​​​‌ légitimités, médiation (IDHE.S-Paris 8),‌ June 2025.
• Camille Desenclos‌​‌ gave an invited talk​​ at the seminar Les​​​‌ mercredis du CRUHL (Université‌ de Lorraine), November 2025.‌​‌
• Gaspard Damoiseau-Malraux gave an​​ invited talk for the​​​‌ ENACT cluster (biggest IA‌ Cluster in Grand Est),‌​‌ December 2025.
• Cécile Pierrot​​ gave an invited talk​​​‌ at Université Ouverte de‌ Dole, France, April 2025.‌​‌
• Cécile Pierrot gave an​​ invited talk at University​​​‌ of Waterloo, Canada, May‌ 2025.
• Cécile Pierrot and‌​‌ Camille Desenclos gave an​​ invited talk at the​​​‌ computer science department of‌ ENS Paris-Saclay, May 2025.‌​‌
• Cécile Pierrot gave an​​ invited talk at an​​​‌ online international biannual meeting‌ for historians (Cipher Zoom),‌​‌ October 2025.
• Cécile Pierrot​​ gave an invited talk​​​‌ at Laboratoire de Physique‌ des Solides, Orsay University,‌​‌ November 2025.
• Emmanuel Thomé​​ gave an invited talk​​​‌ at the WRACH Workshop,‌ Roscoff, April 2025.

10.1.5‌​‌ Leadership within the scientific​​ community

• Pierrick Gaudry is​​​‌ co-head of the GdR‌ Sécurité informatique.
• Pierrick Gaudry‌​‌ is a member of​​ the steering committee of​​​‌ the École de Printemps‌ d'Informatique Théorique (EPIT).
• Pierre-Jean‌​‌ Spaenlehauer is a member​​ of the bureau of​​​‌ the Aathena axis (Aspects‌ algorithmiques de la théorie‌​‌ des nombres et ses​​ applications) of the CNRS​​​‌ Réseau Thématique de Théorie‌ des Nombres (rt2n‌​‌).
• Camille Desenclos is​​ a member of the​​​‌ Steering Committee of the‌ HistoCrypt international network.
• Camille‌​‌ Desenclos is a member​​ of the bureau of​​​‌ the Association des historiens‌ modernistes des universités françaises‌​‌ (AHMUF).
• Cécile Pierrot is​​ a member of the​​​‌ steering committee of the‌ Journées Codage et Cryptographie.‌​‌

10.1.6 Scientific expertise

• Pierrick​​ Gaudry was a member​​​‌ of the selection committee‌ for an assistant professor‌​‌ position in section 25​​ in Marseille.
• Marine Minier​​​‌ is a nominated member‌ of the CNU 27‌​‌ (2023-2027).
• Marine Minier was​​ president of the selection​​​‌ committee for the professor‌ position 25PR1187, Université de‌​‌ Lorraine and IECL.
• Cécile​​ Pierrot was a member​​​‌ of the selection committee‌ for "chargé de recherche"‌​‌ positions for Inria Center​​ of Université de Lorraine.​​​‌
• Paul Zimmermann was co-president‌ of the selection committee‌​‌ for an assistant professor​​ position in Telecom Nancy.​​​‌

10.1.7 Research administration

• Xavier‌ Bonnetain is the local‌​‌ coordinator of the Inria​​ activity reports for the​​​‌ Inria Centre at Université‌ de Lorraine (among them,‌​‌ this very document).
• Pierrick​​ Gaudry is head of​​​‌ the Department 1 of‌ LORIA, and, as such,‌​‌ member of the Scientific​​ Council of LORIA.
• Pierrick​​​‌ Gaudry is a member‌ of Comité des utilisateurs‌​‌ des moyens de calcul​​ INRIA.
• Pierrick Gaudry and​​​‌ Marine Minier are members‌ of the steering committee‌​‌ of the LHS –​​ Laboratoire Haute Sécurité of​​​‌ LORIA.
• Virginie Lallemand is‌ a member of the‌​‌ commission du personnel (COMIPERS)​​​‌ of the Inria research​ center.
• Pierre-Jean Spaenlehauer is​‌ head of the Commission​​ de Développement Technologique (CDT)​​​‌ of the Centre Inria​ de l’Université de Lorraine.​‌
• Cécile Pierrot is a​​ member of Bureau du​​​‌ Comité des Projets (BCP),​ Inria Nancy.
• Cécile Pierrot​‌ is a member of​​ the Comité de Centre​​​‌ (Loria/Inria Nancy).
• Emmanuel Thomé​ is a member of​‌ the commission de recrutement​​ des doctorants (COMIDOC), in​​​‌ the LORIA context.
• Paul​ Zimmermann is member of​‌ the scientific committee of​​ the EXPLOR computing center​​​‌ from University of Lorraine.​

10.2.1​​ Supervision

• Pierre-Jean Spaenlehauer has​​​‌ defended his Habilitation à​ Diriger des Recherches in​‌ February 2025. The habilitation​​ thesis 30 focuses on​​​‌ algorithmic interactions between arithmetic​ geometry and computer algebra.​‌
• Ph.D. in progress: Julien​​ Soumier, Algorithms for Isogenies​​ of Abelian Varieties and​​​‌ Post-Quantum Cryptography, since‌ Oct. 2023, Pierre-Jean Spaenlehauer‌​‌ and Pierrick Gaudry .​​
• Ph.D. in progress: Marie​​​‌ Bolzer, Algorithmique et outils‌ automatiques pour la construction‌​‌ et l'analyse de composants​​ de cryptographie symétrique,​​​‌ since Oct. 2023, Sébastien‌ Duval and Marine Minier‌​‌ .
• Ph.D. in progress:​​ Thierno Sabaly, Designs and​​​‌ cryptanalysis in symmetric key‌ primitives especially block ciphers.‌​‌, since Oct. 2024,​​ Marine Minier .
• Ph.D.​​​‌ in progress: Hugo Nartz,‌ Computing isogeny classes of‌​‌ abelian varieties over number​​ fields, Jean Kieffer​​​‌ and Emmanuel Thomé .‌
• Ph.D. in progress: Thomas‌​‌ Sagot, Attack Modelling of​​ Symmetric Primitives, since​​​‌ Oct. 2025, Emmanuel Thomé‌ , Xavier Bonnetain ,‌​‌ Christina Boura (IRIF) and​​ Virginie Lallemand .
• Ph.D.​​​‌ in progress: Léo Louistisserand,‌ Conception et analyse de‌​‌ protocoles de vote utilisés​​ ou utilisables en pratique​​​‌, since Oct. 2023,‌ Pierrick Gaudry and Véronique‌​‌ Cortier (PESTO team).
• Ph.D.​​ in progress: Medhi Kermaoui,​​​‌ Quantum cryptanalysis of public-key‌ cryptosystems, since Oct.‌​‌ 2023, Xavier Bonnetain and​​ Pierrick Gaudry .
• Ph.D.​​​‌ in progress: Gaspard Damoiseau-Malraux,‌ Cryptanalysis of historial documents‌​‌ with optimisation algorithms,​​ since Oct. 2025, Cécile​​​‌ Pierrot and Charles Bouillaguet‌ .
• Research Engineer: Michaël‌​‌ Mera , Computer science​​ Tools for the Back​​​‌ In Time project,‌ since February. 2025, Cécile‌​‌ Pierrot .

10.2.2 Juries​​

• Pierre-Jean Spaenlehauer was a​​​‌ reviewer for the Ph.D.‌ thesis of Anaëlle Le‌​‌ Dévéhat (December 2025, Institut​​ Polytechnique de Paris).
• Marine​​​‌ Minier was member of‌ the jury for the‌​‌ Ph.D. thesis of Sara​​ Majbour (July 2025, Université​​​‌ de Caen Normandie).
• Marine‌ Minier was president of‌​‌ the Ph.D. thesis of​​ Ala Eddine Laouir (November​​​‌ 2025, Université de Lorraine).‌
• Marine Minier was a‌​‌ reviewer of the Ph.D.​​ thesis of Thomas Prévost​​​‌ (February 2026, Université Côte‌ d'Azur).
• Marine Minier was‌​‌ Marraine of HDR and​​ member of the jury​​​‌ for the HDR thesis‌ of Abdelkader Lahmadi (March‌​‌ 2025, Université de Lorraine).​​
• Virginie Lallemand was member​​​‌ of the jury for‌ the Ph.D. thesis of‌​‌ Phuong-Hoa Nguyen (February 2025,​​ Université de Rennes).
• Emmanuel​​​‌ Thomé was a reviewer‌ for the Ph.D. thesis‌​‌ of Nicolas Sarkis (July​​ 2025, Université de Bordeaux).​​​‌
• Emmanuel Thomé was a‌ reviewer for the HDR‌​‌ thesis of Bruno Grenet​​ (November 2025, Université de​​​‌ Grenoble Alpes).
• Pierrick Gaudry‌ was a reviewer for‌​‌ the Ph.D. thesis of​​ Jean Gasnier (July 2025,​​​‌ Université de Bordeaux).
• Pierrick‌ Gaudry was president of‌​‌ the the Ph.D. thesis​​ of Pierrick Dartois (July​​​‌ 2025, Université de Bordeaux).‌
• Pierrick Gaudry was president‌​‌ of the Ph.D. thesis​​ of Camille Lanuel (November​​​‌ 2025, Université de Lorraine).‌

10.3.1 Productions‌ (articles, videos, podcasts, serious‌​‌ games, ...)

• Camille Desenclos​​​‌ was interviewed by both​ the written press and​‌ TV media in 2025:​​
  • TV interview with TF1​​​‌ for the midday news​ (February 2025),
  • TV interview​‌ with Arte for a​​ documentary on Mary Stuart’s​​​‌ encrypted letter ("Marie Stuart,​ l’énigme des lettres codées",​‌ réal. Augustin Viatte, broadcast​​ on September 2025),
  • press​​​‌ conference for the latter​ documentary (July 2025) and​‌ interviews for Arte Magazine​​ and Telepro.
• Cécile​​​‌ Pierrot wrote an article​ for The Conversation France,​‌ January 2025.
• Cécile Pierrot​​ was interviewed for a​​​‌ short video for The​ Conversation France, January 2025.​‌
• Cécile Pierrot was interviewed​​ for TV interview with​​​‌ TF1 for the midday​ news, January 2025.

10.3.2​‌ Participation in Live events​​

• Clémence Bouvier met with​​​‌ four classes from Charles​ Hermite high school for​‌ the Chiche project, Dieuze,​​ March 2025.
• Clémence Bouvier​​​‌ participated in the European​ Women in Science Days​‌ at Féru des Sciences,​​ Nancy, September 2025.
• Clémence​​​‌ Bouvier participated in the​ week-long event for high​‌ school girls Les Cigognes​​, Les Voivres, October​​​‌ 2025.
• Paul Zimmermann participated​ in the Fête de​‌ la Science in Bouxurulles,​​ a small village in​​​‌ the south of Nancy,​ October 2025.
• Cécile Pierrot​‌ gave a talk at​​ Château de Lunéville, France,​​​‌ for a large audience,​ June 2025.
• Cécile Pierrot​‌ and Paul Zimmermann hosted​​ a scientific journalist for​​​‌ one week in their​ lab, as part of​‌ an exchange between media​​ and research January 2025.​​​‌

10.3.3 Others science outreach​ relevant activities

• Julien Soumier​‌ and Paul Zimmermann participated​​ in the Math-En-Jeans project.​​​‌ They supervised a group​ of teenagers from the​‌ Lycée Français Vauban du​​ Luxembourg.

International journals

• 16​​ articleK.Kaveh Bashiri​​​‌, X.Xavier Bonnetain​, A.Akinori Hosoyamada​‌, N.Nathalie Lang​​ and A.André Schrottenloher​​​‌. Improved Quantum Linear​ Attacks and Application to​‌ CAST.IACR Transactions​​ on Symmetric Cryptology2025​​​‌2June 2025,​ 124-165HALDOIback​‌ to text
• 17 article​​A.Alexandre Benoist and​​​‌ J.Jean Kieffer.​ The asymptotic distribution of​‌ Elkies primes for reductions​​ of abelian varieties is​​​‌ Gaussian.Research in​ Number Theory1165​‌July 2025HALDOI​​back to textback​​​‌ to text
• 18 article​M.Marie Bolzer,​‌ S.Sébastien Duval and​​ M.Marine Minier.​​​‌ A New Tool to​ Find Lightweight (And, Xor)​‌ Implementations of Quadratic Vectorial​​ Boolean Functions up to​​​‌ Dimension 9.IEEE​ Transactions on Circuits and​‌ Systems I: Regular Papers​​731September 2025​​​‌, 478-491HALDOI​back to text
• 19​‌ articleC.Clémence Bouvier​​, L.Lorenzo Grassi​​​‌, D.Dmitry Khovratovich​, K.Katharina Koschatko​‌, C.Christian Rechberger​​, F.Fabian Schmid​​​‌ and M.Markus Schofnegger​. Skyscraper: Fast Hashing​‌ on Big Primes.​​IACR Transactions on Cryptographic​​​‌ Hardware and Embedded Systems​2025March 2025,​‌ 743-780HALDOIback​​ to text
• 20 article​​​‌ N.Nicolas Brisebarre,​ G.Guillaume Hanrot,​‌ J.-M.Jean-Michel Muller and​​ P.Paul Zimmermann.​​​‌ Correctly rounded evaluation of​ a function: why, how,​‌ and at what cost?​​ ACM Computing Surveys 58​​​‌ 1 January 2026 HAL​ DOI back to text​‌
• 21 articleV.Véronique​​ Cortier, A.Alexandre​​​‌ Debant, P.Pierrick​ Gaudry and L.Léo​‌ Louistisserand. Vote&Check: Secure​​ Postal Voting with Reduced​​​‌ Trust Assumptions.Proceedings​ on Privacy Enhancing Technologies​‌202532025,​​ 333-348HALDOIback​​​‌ to text
• 22 article​J.Juan Di Mauro​‌, H.Hamid Boukkerou​​, G.Gilles Millerioux​​​‌, M.Marine Minier​ and T.Thomas Stoll​‌. Provable randomness over​​ lightweight permutations.Cryptography​​​‌ and Communications - Discrete​ Structures, Boolean Functions and​‌ Sequences 17January 2025​​, 27–40HALDOI​​​‌
• 23 articleJ.Jean​ Kieffer, A.Aurel​‌ Page and D.Damien​​ Robert. Computing isogenies​​​‌ from modular equations in​ genus two.Journal​‌ of Algebra666March​​ 2025, 331-386HAL​​​‌DOIback to text​

International peer-reviewed conferences

• 24​‌ inproceedingsM.Matthieu Amet​​, O.Oussama Ben​​​‌ Moussa, G.Guillaume​ Bonfante and S.Sébastien​‌ Duval. Monitoring the​​ execution of cryptographic functions​​​‌.Foundations and Practice​ of Security (FPS)FPS-2024​‌ - 17th International Symposium​​ on Foundations & Practice​​​‌ of Security15532Lecture​ Notes in Computer Science​‌Montréal (Québec), CanadaSpringer​​ Nature SwitzerlandMay 2025​​​‌, 377-392HALDOI​
• 25 inproceedingsC.Clémence​‌ Bouvier. Statistical properties​​ of Butterfly-like constructions.​​Fq16 - International Conference​​​‌ on Finite Fields and‌ Their Applications 2025Sao‌​‌ Carlos, BrazilJuly 2025​​HALback to text​​​‌
• 26 inproceedingsS.Sélène‌ Corbineau and P.Paul‌​‌ Zimmermann. Correct Rounding​​ in Double Extended Precision​​​‌.Proceedings of 32nd‌ IEEE Symposium on Computer‌​‌ Arithmetic32nd IEEE Symposium​​ on Computer ArithmeticEl​​​‌ Paso, TX, United States‌May 2025HAL
• 27‌​‌ inproceedingsV.Véronique Cortier​​, A.Alexandre Debant​​​‌ and P.Pierrick Gaudry‌. Breaking verifiability and‌​‌ vote privacy in CHVote​​.30th European Symposium​​​‌ on Research in Computer‌ Security - ESORICS 2025‌​‌Toulouse, FranceSpringer2025​​HALback to text​​​‌back to text
• 28‌ inproceedingsC.-P.Claude-Pierre Jeannerod‌​‌ and P.Paul Zimmermann​​. FastTwoSum revisited.​​​‌Proceedings of 32nd IEEE‌ Symposium on Computer Arithmetic‌​‌32nd IEEE Symposium on​​ Computer Arithmetic (ARITH 2025)​​​‌El Paso, TX, United‌ StatesMay 2025HAL‌​‌
• 29 inproceedingsC.Cécile​​ Pierrot, G.Gaspard​​​‌ Damoiseau-Malraux, P.Paul‌ Mekhail, O.Olivier‌​‌ Chaline and L.Ludovic​​ Perret. A Caribbean​​​‌ Directory-based Encryption during the‌ American War of Independence:‌​‌ Bellecombe, governor of Saint-Domingue,​​ 1782.International Conference​​​‌ on Historical Cryptology (HistoCrypt‌ 2025)Poznan, PolandJune‌​‌ 2025HALback to​​ text

Doctoral dissertations and​​​‌ habilitation theses

• 30 thesis‌P.-J.Pierre-Jean Spaenlehauer.‌​‌ Fast Algebraic Algorithms for​​ Arithmetic Geometry and Polynomial​​​‌ Systems.Université de‌ LorraineFebruary 2025HAL‌​‌back to text

Reports​​ & preprints

• 31 misc​​​‌X.Xavier Bonnetain,‌ J.Johanna Loyer,‌​‌ A.André Schrottenloher and​​ Y.Yixin Shen.​​​‌ A Tight Quantum Algorithm‌ for Multiple Collision Search‌​‌.2025HAL
• 32​​ miscV.Véronique Cortier​​​‌, A.Alexandre Debant‌, O.Olivier Esseiva‌​‌, P.Pierrick Gaudry​​, A.Audhild Hoegaasen​​​‌ and C.Chiara Spadafora‌. A Practical and‌​‌ Fully Distributed E-Voting Protocol​​ for the Swiss Context​​​‌.December 2025HAL‌back to textback‌​‌ to text
• 33 misc​​N. D.Noam D.​​​‌ Elkies and J.Jean‌ Kieffer. Fast evaluation‌​‌ of Riemann theta functions​​ in any dimension.​​​‌May 2025HALback‌ to textback to‌​‌ text
• 34 miscP.​​Pierrick Gaudry, J.​​​‌Julien Soumier and P.-J.‌Pierre-Jean Spaenlehauer. Computing‌​‌ Isomorphisms between Products of​​ Supersingular Elliptic Curves.​​​‌March 2025HALback‌ to text
• 35 misc‌​‌B.Brian Gladman,​​ V.Vincenzo Innocente,​​​‌ J.John Mather and‌ P.Paul Zimmermann.‌​‌ Accuracy of Mathematical Functions​​ in Single, Double, Double​​​‌ Extended, and Quadruple Precision‌.February 2025HAL‌​‌back to text
• 36​​ miscC.Cécile Pierrot​​​‌. Decryption of an‌ Encrypted Telegram from governor‌​‌ Hercílio Luz to Brazilian​​ President Floriano Peixoto (1894)​​​‌.July 2025HAL‌back to text

Other‌​‌ scientific publications

• 37 misc​​V.Véronique Cortier,​​​‌ A.Alexandre Debant,‌ J.Jannik Dreier,‌​‌ P.Pierrick Gaudry,​​ L.Lucca Hirschi and​​​‌ S.Steve Kremer.‌ Réponse au projet de‌​‌ mise à jour de​​ la recommandation de la​​​‌ CNIL sur le vote‌ électronique.Inria2025‌​‌HALback to text​​​‌
• 38 miscC.Camille​ Desenclos, P.Paul​‌ Zimmermann and I.Ioana​​ Ionescu. Déchiffrement d'une​​​‌ lettre de François Ier​ à Christophe Richer (21​‌ janvier 1547).February​​ 2025HALback to​​​‌ text